Review - Bills Introduced – 7-31-25

Yesterday, with just the Senate in Washington, there were 39 bills introduced. Two of those bills may receive additional coverage in this blog:

S 2533 A bill to require performance and security audits of certain agency computer systems, and for other purposes. Whitehouse, Sheldon [Sen.-D-RI]

S 2551 A bill to provide the Secretary of Homeland Security with the authority to temporarily extend the duration of protections provided under the SAFETY Act, and for other purposes. Peters, Gary C. [Sen.-D-MI]

 

For more information on these bills, including legislative history for similar bills in the 118th, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-7-31-25 - subscription required.

Short Takes – 7-31-25

Republicans move to clear final hurdles to funding bill before recess. TheHill.com article. Pull quote: “Appropriators are crafting a three-bill package that covers full-year funding for the departments of Agriculture (USDA), Veterans Affairs (VA), Commerce, Justice (DOJ), the Food and Drug Administration (FDA), rural development, military construction and science agencies.”

Scammers Unleash Flood of Slick Online Gaming Sites. KrebsOnSecurity.com article. Pull quote: “However, any “winnings” displayed by these gaming sites are a complete fantasy, and players who deposit cryptocurrency funds will never see that money again. Compounding the problem, victims likely will soon be peppered with come-ons from “recovery experts” who peddle dubious claims on social media networks about being able to retrieve funds lost to such scams.”

New Deep Sea Creatures ‘Challenge Current Models of Life,’ Scientists Say. 404Media.co article. Pull quote: “Even at the Deepest [31,276 feet], animals are living off the submerged land, including roving sea worms called polychaetes and giant tube worms called siboglinids that measure nearly a foot in length. Whereas some animals in the deep sea consume the remains of dead stuff that has sunk down from the surface, these ecosystems are entirely powered by the outflows from the seeps.”

Why devastating tsunamis didn’t follow the Russia earthquake.  Pull quote: “There’s also “a small chance that any earthquake can be followed by a larger one, and so that’s why we always suggest that people stay on alert,” Briggs says. On July 20, this same region was struck by a magnitude 7.4 event, with this week’s quake happening less than two weeks later. “That’s an example, right there,” he says.”

EarthDaily nets $60 million loan to ramp up constellation expansion. SpaceNews.com article. Pull quote: “The remaining multispectral satellites are slated to launch across multiple rideshare missions in 2026, EarthDaily CEO Don Osborne told SpaceNews, with specific launches still being finalized with SpaceX.”

You may already have some protection from bird flu, but don’t count on it. ScienceNews.org article. Pull quote: ““Certainly, you can have pandemics even when there’s some existing weak immunity against the new strain,” he says. For instance, influenza pandemics in 1968 and 2009 happened despite many individuals having prior immunity to similar viruses. And preexisting immunity may have made the 2009 swine flu pandemic worse for some.”

Revising Spectrum Sharing Rules for Non-Geostationary Orbit, Fixed-Satellite Service Systems. Federal Register FCC final rule. Summary: “In this document, the Federal Communications Commission (Commission) announces that the Office of Management and Budget has approved new information collection requirements under OMB Control Number 3060-0678, as adopted in the Commission's Report and Order, FCC 23-29, and revised in the Commission's Second Report and Order, FCC 24-117.” Effective date: July 31^st, 2025.

Pipeline Safety: Information Collection Activities. Federal Register PHMSA 30-day ICR notice. Two ICRs: Rupture Mitigation Valve Recordkeeping Requirements (2137-0637), and Rupture Mitigation Valve Notification Requirements (2137-0638). Comments due September 2^nd, 2025.

Perchloroethylene (PCE); Regulation Under the Toxic Substances Control Act (TSCA); Request for Comment. Federal Register EPA notice. Summary: “The U.S. Environmental Protection Agency (EPA or Agency) is seeking public comment to inform its reconsideration of the Toxic Substances Control Act (TSCA) regulation for perchloroethylene (PCE). As promulgated in December 2024, the PCE risk management action addressed the unreasonable risk of injury to health presented by PCE under its conditions of use by requiring various workplace exposure controls, prohibiting certain industrial and commercial uses, and preventing consumer access to the chemical, among other provisions. This request for public comment follows the filing of several legal challenges to the rule in 2025, and EPA's subsequent determination that the PCE regulation under TSCA should be reconsidered through further rulemaking. EPA intends to consider information received in response to this public comment solicitation, and other reasonably available information, to inform the development of any proposed rule to amend the PCE regulation as appropriate.”  Comments due by August 29^th, 2025.

Review – 2 Advisories Published – 7-31-25

Today CISA’s NCCIC-ICS published two control system security advisories for products from Rockwell Automation, and Güralp. I also include a look at the availability of advisories from Rockwell.

Advisories

Rockwell Advisory - This advisory discusses four vulnerabilities in the Rockwell Lifecycle Services with VMware. These are third-party (VMware) vulnerabilities.

Güralp Advisory - This advisory describes a missing authentication for critical function vulnerability in the Güralp FMUS Series Seismic Monitoring Devices.

 

For more information on these advisories, including a down-the-rabbit-hole look at the availability of Rockwell advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-7-31-25 - subscription required.

OMB Approves Beyond Visual Line of Sight Operations NPRM

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a notice of proposed rulemaking from the DOT’s Federal Aviation Administration (FAA) on “FAA and TSA Normalizing Unmanned Aircraft Systems Beyond Visual Line of Sight Operations”. The rulemaking was submitted to OIRA on May 13^th, 2025.

According to the Fall 2024 Unified Agenda entry for this rulemaking:

“This action would normalize certain low altitude unmanned aircraft systems (UAS) operations, while ensuring the safety and efficiency of the United States airspace. It is the next step in integrating UAS into the national airspace system (NAS), providing for significant safety, societal, and economic advantages and benefits. This action is expected to dramatically expedite the introduction of beyond visual line of sight (BVLOS) UAS operations in the NAS. Using consensus-based standards, this action would establish a regulatory process for issuing a special airworthiness certificate (SAC) for unmanned aircraft (up to 1,320 pounds), as well as the acceptance of their associated elements. It would create new operational and design requirements for unmanned aircraft issued a SAC, enabling routine beyond visual line of sight (BVLOS) operations without waivers or exemptions. The rulemaking would prescribe a new BVLOS rating for the remote pilot certificate. It would also build new operating rules for UAS cargo delivery for compensation or hire under the new part. Finally, this action would create a defined regulatory approval pathway for third-party services, to include UAS Traffic Management (UTM) service suppliers.”

It is interesting that OIRA’s announcement added the words “FAA and TSA” to the title of the rulemaking that were not included when it was submitted. First off, with FAA and TSA coming under different cabinet level agencies (DOT and DHS) there is no unified agency to coordinate the implementation and enforcement of the final rule. This is the reason that we typically see two agencies work up a memorandum of understanding about who has responsibility for the rulemaking process. Secondly, the TSA would theoretically be concerned about security issues related to UAS operations and there has been no discussion to date about any such issues (though, to be fair, it would not be hard to come up with some legitimate concerns).

I had not been intending to cover this rulemaking in any depth in this blog, but if there are UAS security issues included, that may change, depending on the cybersecurity implications of such proposed regulations.

Short Takes – 7-31-25 – Space Geek Edition –

First Eris launch fails to reach orbit. SpaceNews.com article. Pull quote: “Failures of first launches of new rockets, particularly by new entrants, are not uncommon. In March, the first flight of the Spectrum small launch vehicle by Germany’s Isar Aerospace failed when the rocket lost attitude control about half a minute after liftoff from Norway’s Andøya Spaceport. The rocket tumbled back into waters next to the pad and exploded, but the company called the flight a success nonetheless because of the flight data it collected.”

NOTE: I finally had to suck it up and subscribe, missing too much space news. Reminder SpaceNews.com articles are paywalled (Sigh).

The United States Should Act Now to Mitigate Conflict Escalation on the Moon. WarOnTheRocks.com article. Pull quote: “This fictional crisis was designed to stress-test the existing space governance framework and examine how a multi-stakeholder environment might respond. What we found was instructive: Clear rules did not emerge from the crisis. Instead, the focus was on the process of developing rules that were inclusive, fair, and adaptable. Moreover, the exercise raised important questions about the role of private actors in shaping lunar governance and suggested the importance of third parties with greater perceived neutrality in developing guidelines for preventing future conflict. More broadly, these findings suggest, as we highlight in our recent paper, that while there is flexibility and willingness to cooperate on developing a new lunar governance framework, states might not yet have well-formed views for negotiations. States are just learning about this evolving environment in which the strength of the norms around governance is unclear.”

The first company to complete a fully successful lunar landing is going public. ArsTechnica.com article. Pull quote: “Firefly is deep into the capital-intensive development of a new medium-class rocket named Eclipse in partnership with Northrop Grumman, which made a $50 million strategic investment into Firefly in May. And Firefly is developing a spacecraft line called Elytra, a platform that can host military sensors and other payloads and maneuver them into different orbits.” Interesting discussion about IPO’s.

Air leak persists on Russian ISS segment. SpaceNews.com article. Pull quote: ““All these scientists are working together to find the root cause of these cracks,” he [Krikalev, deputy director general of manned and automated complexes at Roscosmos] said. “It’s important for all, for the future designs of future stations, to be sure that we will not have a similar situation in the future, but for now we are managing to keep the crew safe.”

Space Force selects five firms for ‘Protected Tactical Satcom’ design contracts. SpaceNews.com article. Pull quote: “The Space Force said it plans to select a PTS-G design and award a production contract in 2026 for the first satellite that would launch in 2028, “putting the first PTS-G satellite in orbit. “A second wave of production awards for additional PTS-G satellite capability is planned for 2028, with launch planned for 2031,” the Space Systems Command said.”

EPA Sends Phasedown of Hydrofluorocarbons NPRM to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received an notice of proposed rulemaking (NPRM) from the EPA on “Phasedown of Hydrofluorocarbons: Reconsideration of Technology Transitions Final Rule Under the American Innovation and Manufacturing Act of 2020”.

According to the Spring 2024 Unified Agenda entry for this rulemaking:

“The U.S. Environmental Protection Agency received petitions to reconsider certain provisions of the Technology Transitions final rule established under subsection (i) of the American Innovation and Manufacturing (AIM) Act. This proposal would reconsider topics raised by those petitions including adjustments to restrictions for refrigeration equipment used in semiconductor manufacturing and intermodal refrigerated transport and related to the continued manufacture and sale of condensing units in the residential and light commercial air conditioning and heat pump subsector. The proposed rule would also amend and clarify other provisions of the 2023 Technology Transitions rule in addition to those covered by the petitions.”

This should be interesting, a Trump EPA’s take on a Biden EPA’s response to petitions for relief from an early key piece of Biden’s legislative agenda.

Review - Bills Introduced – 7-29-25

On Tuesday, with the Senate in Washington and the House meeting in pro forma session, there were 101 bills introduced. Two of those bills will receive additional coverage in this blog:

HR 4818 To give effect to a final rule of the Pipeline and Hazardous Materials Safety Administration relating to gas pipeline leak detection and repair, and for other purposes. Peters, Scott H. [Rep.-D-CA-50]

S 2508 A bill to give effect to a final rule of the Pipeline and Hazardous Materials Safety Administration relating to gas pipeline leak detection and repair, and for other purposes. Luján, Ben Ray [Sen.-D-NM]

For more information on these bills, including legislative history for similar bills in the 118th, as well as a mention in passing of a military drone development bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-7-29-25 - subscription required.

Short Takes – 7-29-25

Climate change may be pushing fungal allergy season earlier. ScienceNews.org article. Pull quote; “Fungal allergy season gets going an average of 22 days earlier than it did 20 years ago, researchers report in the July GeoHealth. Rising temperatures and altered precipitation are linked to the new pattern, suggesting that climate change is making fungal allergy season worse.”

Leaked data. Continuous glucose monitoring. PentestParners.com article. Pull quote: “The data in the [exposed AWS] bucket appeared to be real time blood glucose readings. A few thousand devices, likely a clinical trial. Researching more online and joining some dots, the readings looked to be for such a closed loop system: Auto dosing.”

Curved molecule bottles sunlight and releases it as heat. CEN.ACS.org article. Pull quote: “The new type of anthracene, a liquid, packs 0.65 MJ of energy per kilogram, as much as a lithium-ion battery. Think of it as a battery that releases heat instead of electricity, says Grace Han, now a professor of chemistry at the University of California, Santa Barbara, who led the research while at Brandeis University.”

Senate GOP quietly urges House to shift approach on shutdown talk. TheHill.com article. Pull quote: “The Senate will resume voting on nominees Monday while Thune attempts to get all 99 other senators to sign off on a time agreement for expanding the appropriations package beyond military construction and Veterans Affairs.”

Hurricane season warning signs pile up. Brace for a dangerous August. Yahoo.com article. Pull quote: “He said that during this past week, MDR water temperatures have surged to the 7th warmest in the satellite record (back to 1981), running only slightly cooler than 2017 and 2005 at this point in the season. At the same time, he said the belt of water just north of the tropics has cooled since the start of the season, creating a more conducive orientation that favors rising air and storminess in the tropical Atlantic.”

“It’s shocking”; Massive raw milk outbreak from 2023 finally reported. ArsTechnica.com article. Pull quote: “But that seems to be the extent of the information at the time. For anyone paying attention, it might have seemed like the end of the story. But, according to the final outbreak investigation report—produced by CDPH and local health officials—the outbreak actually ran from September 2023 to March 2024, spanned five states, and sickened at least 171 people. That report was released last week, on July 24, 2025.”

EO 14318 – Accelerating Federal Permitting of Data Center Infrastructure: Federal Register,

EO 14319 – Preventing Woke AI in the Federal Government: Federal Register,

EO 14320 – Promoting the Export of the American AI Technology Stack: Federal Register,

EO 14321 – Ending Crime and Disorder on America's Streets: Federal Register

EO 14322 – Saving College Sports: Federal Register

Review – 3 Advisories and 2 Updates Published – 7-29-25

Today CISA’s NCCIC-ICS published three control system security advisories for products from Delta, Samsung, and National Instruments. They also updated two control system security advisories for products from Fuji and Johnson Controls.

Advisories

Delta Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Delta DTN Soft product.

Samsung Advisory - This advisory describes six vulnerabilities in the Samsung Data Management Server (DMS).

National Instruments Advisory - This advisory describes two vulnerabilities in the NI LabVIEW product.

Updates

Fuji Update - This update provides additional information on the Tellus Lite V-Simulator advisory that was originally published on December 3, 2024.

Johnson Controls Update - This update provides additional information on the iStar Door Controller advisory that was originally published on June 6^th, 2024.

 

For more information on these advisories, see my article at CFSN Detailed Analysis, including links to researcher reports and a down-the-rabbit-hole look at the Delta vulnerability -https://patrickcoyle.substack.com/p/3-advisories-and-2-updates-published-5fa - subscription required.

Short Takes – 7-29-25 – Space Geek Edition

Ax-4 Recap: 18 Highlights for 18 Days On-Orbit. AxiomSpace.com article. Pull quote: “Ax-4 made history not just in science, but in design innovation with the debut of Mumm Cordon Rouge Stellar, the first champagne bottle engineered for space. The innovative bottle blends aerospace-grade engineering with elegant design to withstand microgravity while preserving the classic symbolism of champagne and meeting the rigorous demands of spaceflight. While the bottle was not opened during the mission, the bottle served as a proof of concept for how everyday objects must evolve for life beyond Earth. As commercial space exploration becomes more viable, innovations like this will help make off-world experiences feel more familiar, comfortable, and even celebratory.”

L3Harris has the future of PNT ready now. SatNews.com article. Pull quote: “Using their Navigation Technology Satellite-3 (NTS-3) reprogrammable payload and National Security Agency-certified reprogrammable cryptography, L3Harris successfully simulated the commanding of an R-GPS satellite to transmit navigation signals that were acquired and tracked by a monitor station receiver, as well as Military User Equipment and commercial receivers, signifying that R-GPS can seamlessly and efficiently be integrated into the existing GPS infrastructure.”

A secretive space plane is set to launch and test quantum navigation technology. ArsTechnical.com article. Pull quote: “Notably, the small X-37B is back to launching on a medium-lift rocket with this new mission. During its most recent flight that ended in March, the space plane launched on a Falcon Heavy rocket for the first time. This allowed the X-37B to fly beyond low-Earth orbit and reach an elliptical high-Earth orbit.”

Chinese scientist details first planned Mars sample-return mission Tianwen. TechnologyNewsChina.com article. Pull quote: “He introduced three primary scientific objectives for the Tianwen-3 mission: searching for potential signs of life on Mars, including biomarkers, fossils and archaea; studying the evolution of Mars' habitability, such as changes in water, atmosphere and oceans; and investigating the geological structure and evolutionary history of Mars, from surface features to internal dynamics.”

Firefly Awarded $177 Million NASA Contract for Mission to the Moon’s South Pole. FireFlySpace.com article. Pull quote: “The NASA-sponsored payloads onboard Blue Ghost include two rovers – the MoonRanger rover and a Canadian Space Agency rover – as well as a Laser Ablation Ionization Mass Spectrometer (LIMS), a Laser Retroreflector Array (LRA), and the Stereo Cameras for Lunar Plume Surface Studies (SCALPSS), which also flew on Blue Ghost Mission 1. These payloads will help uncover the composition and resources available at the Moon’s south pole, advance lunar navigation, evaluate the chemical composition of lunar regolith, and further study the effects of a lander’s plume on the Moon’s surface during landings.”

Review - Bills Introduced – 7-28-25

Yesterday, with just the Senate in session, there were 24 bills introduced. One of those bills may receive additional coverage in this blog:

S 2480 Telecom Cybersecurity Transparency Act Wyden, Ron [Sen.-D-OR]

This bill passed in the Senate on July 28^th, 2025, under the unanimous consent process.

 

For more information on these bills, including legislative history for similar bills in the 118th, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-7-28-25 - subscription required.

Review - CSB Updated Status of 15 Investigation Recommendations – 7-25-25

Yesterday the Chemical Safety Board (CSB) updated their Recent Recommendation Status Updates page, closing five recommendations with acceptable alternative actions. These actions left 128 of 1019 recommendations open. Additionally, the CSB updated the open status of ten recommendations. The CSB took these actions on July 25^th, 2025.

The five recommendations recently closed recommendations are:

• Marathon Martinez Renewable Fuels Fire - 2024-01-I-CA-R1 - Marathon Martinez Renewables,

• Kuraray Pasadena Release and Fire - 2018-03-I-TX-R5 - Kuraray America, Inc,

• Kuraray Pasadena Release and Fire - 2018-03-I-TX-R12 - Kuraray America, Inc,

• Intercontinental Terminals Company (ITC) Tank Fire - 2019-01-I-TX-R1 - Intercontinental Terminals Company, and

• Husky Energy Superior Refinery Explosion and Fire - 2018-02-I-WI-R16 - Honeywell UOP,

The ten open recommendations that were updated are:

• Marathon Martinez Renewable Fuels Fire - 2024-01-I-CA-R2 – Marathon Martinez Renewables,

• Marathon Martinez Renewable Fuels Fire - 2024-01-I-CA-R3 – Marathon Martinez Renewables,

• Marathon Martinez Renewable Fuels Fire - 2024-01-I-CA-R4 – Marathon Martinez Renewables,

• Marathon Martinez Renewable Fuels Fire - 2024-01-I-CA-R5 – Marathon Martinez Renewables,

• Marathon Martinez Renewable Fuels Fire - 2024-01-I-CA-R6 – Marathon Martinez Renewables,

• Marathon Martinez Renewable Fuels Fire - 2024-01-I-CA-R7 – Marathon Martinez Renewables,

• Honeywell Geismar Chlorine and Hydrogen Fluoride Releases - 2023-02-I-LA-R1 - Honeywell International Inc,

• Honeywell Geismar Chlorine and Hydrogen Fluoride Releases - 2023-02-I-LA-R2 - Honeywell International Inc,

• Honeywell Geismar Chlorine and Hydrogen Fluoride Releases - 2023-02-I-LA-R3 - Honeywell International Inc, and

• Aghorn Operating Inc. Waterflood Station Hydrogen Sulfide Release - 2020-01-I-TX-R3 - Aghorn Operating Inc.

For more details about the actions taken that resulted in these update actions, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/csb-updated-status-of-15-investigation - subscription required.

EPA Enforces CSB Reporting Rule – 7-28-25

Yesterday, the Chemical Safety Board (CSB) announced that the Environmental Protection Agency (EPA) had taken enforcement action against Pacific Gas and Electric Company (PG&E) for failing to comply with the CSB’s Accidental Release Reporting Rule even after being notified of reporting requirement by CSB. The action was taken under 40 CFR 1604.5. According to the announcement:

“Despite being advised by the CSB that the company was required to report the release, PG&E failed to submit a report to the CSB following the June 2023 incident. As provided by the Clean Air Act [link added, §112(r)(6)(O) pg 92], the CSB referred the matter to EPA for enforcement.”

The announcement further notes that:

“This settlement marks the first-ever enforcement action resolved under the CSB’s Accidental Release Reporting Rule. As part of the resolution, PG&E will pay a civil penalty of $45,273 and was required to submit the required report to the CSB earlier this year.”

Commentary

The CSB, in their discussions about rule enforcement, have always maintained that they would not take enforcement action for a simple reporting oversight. According to what has been reported here by the CSB, this is not a ‘simple oversight’, but a willful refusal to report even after being notified by the CSB of their failure to report the incident. With this consent agreement, it would appear that PG&E now acknowledges their failure to comply with their statutory obligations and will pay the relatively minor cost for doing so. Submitting the report would have been much cheaper.

Review – Public ICS Disclosures – Week of 7-19-25 – Part 2

For Part 2 we have two additional vendor disclosures from National Instruments and Supermicro. We also have eight vendor updates from Broadcom (7) and Siemens.

Advisories

National Instruments Advisory - NI published an advisory that describes two vulnerabilities in their LabVIEW product. The vulnerabilities were reported by Michale Heinzl.

Supermicro Advisory - Supermicro published an advisory that discusses four transient execution vulnerabilities in multiple products.

Updates

Broadcom Update #1 - Broadcom published an update for their Linux Kernel advisory that was originally published on July 8^th, 2025.

Broadcom Update #2 - Broadcom published an update for their GNU Glibc Kernel advisory that was originally published on July 8^th, 2025.

Broadcom Update #3 - Broadcom published an update for their Linux Kernel advisory that was originally published on July 8^th, 2025.

Broadcom Update #4 - Broadcom published an update for their Linux Kernel SUN RPC Subsystem advisory that was originally published on July 8^th, 2025.

Broadcom Update #5 - Broadcom published an update for their Linux Kernel Vulnerable to Dangling Pointer advisory that was originally published on June 10^th, 2025, and most recently updated on June 15^th, 2025.

Broadcom Update #6 - Broadcom published an update for their Denial-of-Service advisory that was originally published on July 8^th, 2025.

Broadcom Update #7 - Broadcom published an update for their Path Transversal advisory that was originally published on June 10^th, 2025.

Siemens Update - Siemens published an update for their Denial of Service of ICMP advisory that was originally published on April 8^th, 2025, and most recently updated on July 10^th, 2025.

 

For more information on these disclosures, including links to 3^rd party advisories and researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-b0f - subscription required.

Review - Bills Introduced – 7-25-25

Yesterday, with the House meeting in pro forma session, there were 30 bills introduced. One of those bills will receive additional attention in this blog:

HR 4779 National Security, Department of State, and Related Programs Appropriations Act, 2026. DeGette, Diana [Rep.-D-CO-1]

 

For more information on these bills, including legislative history for similar bills in the 118th, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-7-25-25 - subscription required.

Chemical Incident Reporting – Week of 7-19-25

NOTE: See here for series background.

Brierfield, AL – 7-14-25

Local News Report: Here, here, and here.

There was a fire at a utility pole treatment plant. Due to the large volumes of hazardous chemicals on site, the decision was made to allow the fire to burn itself out rather than risk runoff contaminating a nearby river. One firefighter was treated at a local hospital for minor burns. Reports mention in passing damage to firefighting equipment.

Probable CSB reportable due to (unreported) level of damage to facility.

Corpus Christi, TX – 7-13-25

Local News Report: Here

There was an isobutylene release from a barge in the harbor here due to a faulty pressure relief valve. No injuries or damages were reported.

Not CSB reportable, transportation related incident.

Review – Public ICS Disclosures – Week of 7-19-25 – Part 1

This week is a moderately busy disclosure week. For Part 1 we have 12 vendor disclosures from ABB (2), Dell, ELECOM, Helmholz, Hitachi, HP, HPE (4), and MB connect.

Advisories

ABB Advisory #1 - ABB published an advisory that describes a buffer overread vulnerability in their AC500 V2 PLCs.

ABB Advisory #2 - ABB published an advisory that describes an active debug code vulnerability in their Busch-Welcome 2-wire door opener.

Dell Advisory - Dell published an advisory that discusses three vulnerabilities (one with publicly available exploit, two listed in CISA’s KEV catalog) in their ThinOS products.

ELECOM Advisory - JP-CERT published an advisory that describes two vulnerabilities in the ELECOM wireless LAN routers.

Helmholz Advisory - CERT-VDE published an advisory that describes eight vulnerabilities (with publicly available exploits) in the Helmholz REX 100 devices.

Hitachi Advisory - Hitachi published an advisory that discusses 35 vulnerabilities in their Disk Array products.

HP Advisory - HP published an advisory that describes 10 vulnerabilities in their Poly Clariti Manager product.

HPE Advisory #1 - HPE published an advisory that discusses nine vulnerabilities (two with publicly available exploits) in their Telco Network Function Virtual Orchestrator.

HPE Advisory #2 - HPE published an advisory that discusses two vulnerabilities (one with publicly available exploit) in their HP-UX Secure Shell daemon.

HPE Advisory #3 - HPE published an advisory that discusses an allocation of resources without limit or throttling vulnerability in their Telco Service Orchestrator product.

HPE Advisory #4 - HPE published an advisory that describes an observable discrepancy vulnerability in their Telco Service Orchestrator product.

MB Connect Advisory - CERT-VDE published an advisory that describes eight vulnerabilities (with publicly available exploits0 in the MB connectmbNET.mini devices.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-565 - subscription required.

Short Takes – 7-25-25

Electrochemistry cleans up nitrate-contaminated water without costly, toxic metals. ChemistryWorld.com article. Pull quote: “Chemical engineer Ke Xie at Northwestern University in Illinois is impressed by the results – although he says the researchers’ mechanistic conclusions are undermined by the fact that the membrane pores in the simulations are approximately 30 times smaller than the pores in the actual material. ‘I think it’s probably a limitation of their computational capacity, because these kinds of simulations normally can’t describe tens of nanometre scales,’ he says. He is sceptical, however, that the method will be a viable source of ammonia. ‘What you get here is 100ppm ammonium, and it would take a lot of effort to take out this in a form in which it can be used,’ he says. ‘If I wanted better performance, I’d pursue a catalyst that didn’t produce any ammonium but just produced nitrogen, which escapes.’’

New York Proposes Cybersecurity Regulations for Water Systems. InfoSecurity-Magazine.com article. Pull quote: “Governor Kathy announced the proposals in a public release on July 22, which contain separate operational technology (OT) security requirements for water management firms from the New York State Department of Health (DOH) and New York State Department of Environmental Conservation (DEC).”

White House mulling a rare tool to block spending without Congress: What to know. TheHill.com article. Pull quote: ““If Congress cares about its power of the purse, it needs to find ways to actually assert itself and control the flow of spending, and not just let the Office of Management and Budget decide what’s actually going to get spent, and it seems like that might require joining this fight in a fairly open confrontation,” said Philip Wallach, a senior fellow focused on the “separation of powers” at the right-leaning American Enterprise Institute (AEI).”

Agency Information Collection Activities; Submission to the Office of Management and Budget (OMB) for Review and Approval; Comment Request; Traffic Coordination System for Space (TraCSS). Federal Register DOC 30-day ICR notice. Summary: “This is a request for a new collection of information. The Office of Space Commerce (OSC) is developing the Traffic Coordination System for Space (TraCSS) to provide space situational awareness (SSA) data, information, and services that support global spaceflight safety, space sustainability, and international coordination. In order to provide these services, TraCSS will enable spacecraft operators and national governments to register for the system. This will require the provision of information by these users as part of the registration process. Spacecraft operators are also asked to provide relevant operational information on an ongoing basis to facilitate provision of safety services.”

EO 14317 - Creating Schedule G in the Excepted Service. Federal Register.

HR 3944 Considered in Senate – MilCon Spending – 7-24-25

Yesterday the Senate continued their consideration of HR 3944, the Military Construction, Veterans Affairs, and Related Agencies Appropriations Act. There were 19 amendments proposed with most being proposed revisions to SA 2976, the substitute language that was proposed on Tuesday. The most interesting amendment is SA 3038, another substitute language amendment proposed by Sen Collins (R,ME). Similar to Wednesday’s SA 2977, it would combine some version of the Senate’s Milcon spending language (SA 2976), the Senate’s AER spending bill (S 2256) and the Senate’s CJS spending bill (S 2354). There is too much detail involved to be able to tell the differences between the various versions proposed to date.

Review - Bills Introduced – 7-24-25

Yesterday with just the Senate in Washington, there were 49 bills introduced. Three of those bills will receive additional coverage in this blog:

HR 4754 Department of the Interior, Environment, and Related Agencies Appropriations Act, 2026 Rep. Simpson, Michael K. [R-ID-2]

S 2431 An original bill making appropriations for the Department of the Interior, environment, and related agencies for the fiscal year ending September 30, 2026, and for other purposes. Murkowski, Lisa [Sen.-R-AK]

S 2465 An original bill making appropriations for the Departments of Transportation, and Housing and Urban Development, and related agencies for the fiscal year ending September 30, 2026, and for other purposes. Hyde-Smith, Cindy [Sen.-R-MS]

 

For more information on these bills, including legislative history for similar bills in the 118th, as well as a mention in passing of an administrative agency sunset bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-7-24-25 - subscription required.

Transportation Chemical Incidents – Week of 6-21-25

Reporting Background

See this post for explanation, with the most recent update here (removed from paywall).

Data from PHMSA’s online database of transportation related chemical incidents that have been reported to the agency.

Incidents Summary

• Number of incidents – 558 (531 highway, 24 air, 3 rail, 0 water)

• Serious incidents – 6 (4 Bulk release, 0 evacuation, 0 injury, 0 death, 2 major artery closed, 1 fire/explosion, 18 no release)

• Largest container involved – 25,750-gal DOT 111A100W5 Railcar {Hydrochloric Acid} Pressure relief device release upon hard coupling.

• Largest amount spilled – 1,280-gal FRP Trailer {Hypochlorite Solutions} Discharge to ground during unloading operation.

• Total amount reported spilled in all incidents – 3402.3-gal

NOTE: Links above are to Form 5800.1 for the described incidents.

Most Interesting Chemical: Tetramethylammonium Hydroxide Solution: Tetramethylammonium hydroxide is a solid in the hydrated form or a colorless liquid with a strong ammonia-like odor. It is soluble in water. It is corrosive to metals and tissue. (Source: CameoChemicals.NOAA.gov).

 

Review – 5 Advisories and an Update Published – 7-24-25

Today CISA’s NCCIC-ICS published four control system security advisories for products from LG Innotek, Honeywell, Network Thermostat, and Mitsubishi Electric, as well as a medical device security advisory for products from Medtronic. They also updated an advisory for products from ICONICS/Mitsubishi.

Advisories

LG Advisory - This advisory describes an authentication bypass using an alternate path or channel vulnerability in the LG Innotek camera model LNV510R.

Honeywell Advisory - This advisory describes six vulnerabilities in the Honeywell Experion PKS. The vulnerabilities were reported by Positive Technologies.

Network Thermostat Advisory - This advisory describes a missing authentication for critical function vulnerability in the Network Thermostat X-Series WiFi thermostats.

Mitsubishi Advisory - This advisory discusses an uncontrolled search path element vulnerability in the Mitsubishi CNC Series products.

Medtronic Advisory - This advisory describes three vulnerabilities in the Medtronic MyCareLink Patient Monitors.

Updates

Mitsubishi Update - This update provides additional information on the MC Works64 advisory that was originally published on July 26^th, 2022.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-an-update-published - subscription required.

HR 3944 Considered in Senate – MilCon Spending – 7-23-25

Yesterday the Senate continued their consideration of HR 3944, the Military Construction, Veterans Affairs, and Related Agencies Appropriations Act. There were 41 amendments proposed with most being proposed revisions to SA 2976, the substitute language that was proposed on Tuesday.

Of potential interest here is SA 2977, another proposed substitute language by Sen Collins (R,Me). Similar to Tuesday’s SA 2976, Division A of that amendment would be the Military Construction, Veterans Affairs, and Related Agencies Appropriations portion; Division B would be the Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations, portion; Division C would be the Legislative Branch Appropriations, 2026 portion. This version would add Division D, Commerce, Justice, Science, and Related Agencies Appropriations. That Division D language would presumably be based upon S 2354 (a House version has not yet been introduced). At this point it is not clear which version of substitute language will form the basis for the Senate’s consideration of HR 3944.

Review - Bills Introduced – 7-23-25

Yesterday, with both the House and Senate in Washington (and the House preparing for an early start to their ‘August’ recess), there were 187 bills introduced. One of those bills may receive additional coverage in this blog:

HR 4649 To promote the use of smart technologies and systems in communities, and for other purposes. DelBene, Suzan K. [Rep.-D-WA-1]

 

For more information on these bills, including legislative history for similar bills in the 118th, as well as a mention in passing of two UAS arms control bills, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-7-23-25 - subscription required.

Short Takes – 7-23-25

House stymied as Speaker Johnson’s hand-picked committee rebels over Epstein. TheHill.com article. Pull quote: “For now, Johnson is stuck in a difficult balancing act of weighing the eagerness among members to cast a vote in favor of releasing the Epstein documents, the outcry from the MAGA base, and his vested interest in placating Trump, who has urged GOP lawmakers to drop the matter — all while trying to manage the House floor.”

Senate Democrats agree to advance military construction, VA spending bill. TheHill.com article. Pull quote: ““First, it was done in a bipartisan process, no question about it. Second, it undoes many of the awful [Department of Government Efficiency] cuts to veterans and, third, we’ll have an amendment process,” he said, noting that Democrats only voted for the motion to begin a floor debate on the legislation.”

Eliminating Chemical Safety Board Raises Industry Concerns. PowderBulkSolids.com article. Pull quote: “Even some industry groups have opposed the shutdown. Shakeel Kadri, executive director of the Center for Chemical Process Safety (CCSP), told The New York Times that the CSB provides an invaluable service, especially to small- and medium-sized companies that lack the resources to conduct sophisticated root-cause analyses themselves. The board’s findings, he noted, are not only used domestically but also referenced in academia and abroad.”

How many steps a day do you really need to take? ScienceNews.org article. Pull quote: “Still, experts have shown that even small changes in physical activity can boost overall health. “Every step counts,” del Pozo Cruz says. “You don’t need to reach 10,000 steps to see improvements — just moving more each day, even from a very low baseline, can reduce your risk of serious health problems.””

Review - Bills Introduced – 7-22-25

Yesterday, with both the House and Senate in session, there were 70 bills introduced. One of those bills will receive additional coverage in the blog:

HR 4590 To codify Executive Order 14305 (relating to restoring American airspace sovereignty). Finstad, Brad [Rep.-R-MN-1]

 

For more information on these bills, including legislative history for similar bills in the 118^th, as well as a mention in passing of a bill that would require reporting of child pornography found in AI training sets, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-7-22-25 - subscription required.

HR 3944 Considered in Senate – MilCon Spending – 7-22-25

Yesterday the Senate began consideration of HR 3944, the Military Construction, Veterans Affairs, and Related Agencies Appropriations Act with a vote to begin consideration, with a strongly bipartisan vote of 91 to 7. That vote does not signal support for the partisan spending bill passed in the House, but rather showed support for moving forward on the spending bill process.

Twelve amendments to HR 3944 were proposed yesterday. The most important will probably be SA 2976 introduced by Sen Collins (R,ME). This should be the substitute language from the Senate Appropriations Committee that probably form the basis for the Senate debate on HR 3944. It includes, as Division B, the Agriculture, Rural Development, Food and Drug Administration, and Related Agencies Appropriations Act, 2026 (taken from S 2256), and, as Division C, Legislative Branch Appropriations Act, 2026 (taken from S 2257).

If this bill manages to pass in the Senate, it will do so with at least some bipartisan (60 votes needed for passage) support. That means that there will be spending levels and other provisions (or lack of provisions) that will make it lose significant support from radical Republicans in the House. That would mean the amended bill would require bipartisan support in the House to be sent to the President. That could cause problems for Speaker Johnson, both with the Republican fringe and the President.

DOD Sends DFARS Cybersecurity Assessment Final Rule to OMB

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had received a final rule from the DOD’s Defense Acquisition Resource Center (DARC) on “Defense Acquisition Resource Center”. DOD published an interim final rule on rulemaking on September 29^th, 2020. The notice of proposed rulemaking for the final rule was published on August 15^th, 2024.

According to the Fall 2024 Unified Agenda entry for this rulemaking:

“DoD is issuing a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the contractual requirements associated with the CMMC 2.0 Framework in order to protect against the theft of intellectual property and sensitive information from the Defense Industrial Base (DIB) sector. The CMMC 2.0 Framework, as defined in Title 32 of the Code of Federal Regulations (CFR), assesses compliance with applicable information security requirements. This rule provides DoD with assurances that a DIB contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.”

I will probably not be covering this final rule in any detail, but I will at least announce its publication in the appropriate ‘Short Takes’ post.

Short Takes – 7-22-25

ADEPTATION IN ACTION: Why Counter UAS is Now EOD Business. LinkedIn.com article. Pull quote: “Counter UAS technology gives us new tools, but more importantly, it gives us new awareness. RF spectrum analyzers can detect active drone control signals, but as we see, this has started to evolve as fiber is now being used. Acoustic sensors can identify the unique signatures of different rotor configurations. Visual detection systems can track small moving objects against complex backgrounds. These are no longer air defense tools; they're EOD/Bomb Squad tools.”

Starship Will Put an Entire Space Station in Orbit in One Go, They Call It Starlab. AutoEvolution.com article. Pull quote: “The Starlab is, for all intents and purposes, less glamorous than, say, the Orbital Reef or the two Havens. It is only meant to comprise a service module to hold the power and propulsion elements and a habitat to hold humans and their activities, both of which will be launched into orbit in a single flight – one that will probably take place in 2028 on board a SpaceX Starship.”

In a race to replace the International Space Station, Vast unveils new headquarters in Long Beach. LBPost.com article. Pull quote: “So far, they’re on schedule. The company began construction of the Haven-1 at its Long Beach headquarters in July 2024 and has its primary structure welded together. Further tests — for the craft’s avionics, visual dome, air locks and more — will need to be conducted in Long Beach or at the company’s test stand in Mojave, Calif. Some tests, such as the simulated g-force of a launch, will be conducted at a NASA facility in Ohio.”

Collapse of key Atlantic currents may be held off by newly-discovered back-up system, study finds. LiveScience.com article. Pull quote: “More research is needed to figure out whether this back-up system will last in a warming world. There is also a question mark over how well the Arctic Ocean can really replace the Nordic Seas by forming extremely dense water, said Nicholas Foukal, a physical oceanographer and assistant professor at the University of Georgia who was not involved in the study.”

Experts issue warning on ocean phenomenon that could impact hurricane season: 'It's been notable over the month'. Yahoo.com article. Pull quote: “"An Atlantic Niña is cooler than normal sea surface temperatures in the Gulf of Guinea, which tends to weaken the monsoon and easterly waves over West Africa," Schreck told the Cayman Compass. "The strength of that monsoon is a key predictor of hurricane activity, so an Atlantic Niña could reduce activity."”

After a partly successful test flight, European firm eyes space station mission.  Pull quote: “One reason Huby was in the United States this week was to work with NASA on requirements. That's because the company aspires to fly Nyx to the International Space Station as early as 2028, two years before the orbiting laboratory is due to be retired. At this point, in talking to Huby, the company seems likely to move directly into Nyx development and flying to the space station on its first mission.”

'Doghouse' days of summer — Boeing's Starliner won't fly again until 2026, and without astronauts aboard. Space.com article. Pull quote: “The last update provided about the stalled but stalwart space capsule announced a suite of tests set for this summer at NASA's White Sands Test Facility in New Mexico. NASA and Boeing had hoped to have those tests completed and fixes determined to ready Starliner for another flight by the end of this year, but that timeline seems to have slipped. NASA officials say they are now working toward the goal of launching Starliner again no sooner than early 2026.”

Review – 6 Advisories and 3 Updates Published – 7-22-25

Today CISA’s NCCIC-ICS published six control system security advisories for products from Schneider (4), Lantronix, and DuraComm. They also published three control system advisory updates for products from Schneider.

Advisories

Schneider Advisory #1 - This advisory describes six vulnerabilities in the Schneider EcoStruxure IT Data Center Expert.

Schneider Advisory #2 - This advisory discusses a cross-site scripting vulnerability (listed in CISA’s Known Exploited Vulnerability catalog) in the Schneider System Monitor Application products.

Schneider Advisory #3 - This advisory discusses six vulnerabilities (three with publicly available exploits two of which are listed in the KEV catalog) in the Schneider EcoStruxure Power Operation products.

Schneider Advisory #4 - This advisory describes an exposure of resource to wrong sphere vulnerability in the Schneider EcoStruxure Power Monitoring Expert and Power Operation products.

Lantronix Advisory - This advisory describes an improper restriction of external XML entity reference vulnerability in the Lantronix Provisioning Manager.

DuraComm Advisory - This advisory describes three vulnerabilities in the DuraComm SPM-500 DP-10iN-100-MU, a power distribution panel.

Updates

Schneider Update #1 - This update provides additional information on the Vijeo Designer advisory that was originally published on January 14^th, 2025.

Schneider Update #2 - This update provides additional information on the EVLink WallBox advisory that was or published on June 24^th, 2025.

Schneider Update #3 - This update provides additional information on the Modicon Controllers advisory that was originally published on June 24^th, 2025.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-3-updates-published - subscription required.

PHMSA Announces Pipeline Safety Priorities -7-22-25

Today, DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) announced their first pipeline inspection and enforcement (I&E) priorities. Those priorities are outlined in some depth in a memo from PHMSA’s Linda Daugherty, Acting Associate Administrator for Pipeline Safety. The memo outlines the responsibilities of the Office of Pipeline Safety (OPS) and explains the following priories for that Office:

• Incidents and Accidents (pg 5);

• High and Moderate Consequence Areas (pg 6);

• Control Room Management and Leak Detection (pg 6);

• Damage Prevention (pg 7); and 

• Transactions and Due Diligence (pg 7)

This does not appear to be inherently a reduction in enforcement activities, but I suspect that PHMSA’s OCS has some level of staffing shortage from the early DOGE efforts and the OMB’s voluntary resignation program. That will inevitably result in reduced enforcement activities and make prioritization of efforts that much more important.

CSB Publishes 3rd Volume of Reported Incident Summaries – 7-21-25

Today the Chemical Safety Board announced the publication of the 3^rd volume of their Incident Reports. This volume provides investigation summaries of thirty accidental chemical release incidents reported to the Board since April 15^th, 2020. The investigations were not conducted by the CSB, but rather by the affected companies. Volume 1 (26 incidents) was published in January of this year and Volume 2 (25 incidents) in March.

While these investigation reports are not up to the technical standards of the CSB, they still provide valuable insights into how accidental releases occur in the chemical industry. Readers are going to have to deduce and apply the lessons learned as there are no recommendations from the Board at the end of these reports.

Review - Bills Introduced – 7-21-25

Yesterday, with both the House and Senate in session, there were 50 bills introduced. Three of those bills may receive additional coverage in this blog:

HR 4552 Transportation, Housing and Urban Development, and Related Agencies [THUD] Appropriations Act, 2026 Womack, Steve [Rep.-R-AR-3].

HR 4553 Energy and Water Development and Related Agencies [EWR] Appropriations Act, 2026 Fleischmann, Charles J. "Chuck" [Rep.-R-TN-3] 

HR 4579 To amend the Homeland Security Act of 2002 to provide for the mitigation of cybersecurity risks by the Federal Emergency Management Agency, and for other purposes. Thompson, Bennie G. [Rep.-D-MS-2]

For more information on these bills, including legislative history for similar bills in the 118th, as well as a mention of two bills in passing (a slap at the Wall Street Journal and a hurricane warning study) see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-7-21-25 - subscription required.

Short Takes – 7-21-25

Tendeg secures repeat order for twelve large deployable antennas from Capella Space. SpaceNews.com article. Pull quote: “Tendeg’s antennas are manufactured in-house with key elements of the supply chain being vertically integrated. This includes the investment of capital equipment to knit mesh, braid cord and perform end-to-end environmental testing in-house, allowing for tighter control over quality, cost, and delivery timelines. With key raw materials sourced domestically, Tendeg’s supply chain is built for resilience in the face of tariffs, export controls, and shifting geopolitical landscapes.”

NOTE: A couple of weeks ago I mentioned the SpaceNews.com paywall. The article above is not paywalled. Most are, some are not, I have not figured out what the difference is. The site is an important source of Space Geek news, but a subscription is just not in the budget. So it will continue to be catch as catch can.

Republicans fear Washington headed for shutdown after bruising spending fights. TheHill.com article. Pull quote: “Senate Republicans familiar with Thune’s plans say he hopes to bring a package of appropriations bills to the Senate floor the week before the August recess. That package would likely consist of the agriculture appropriations bill, the military construction and veterans affairs appropriations bill and possibly the legislative branch appropriations bill and the commerce, justice, science appropriations measure.”

Epstein furor upends House for second week in row. TheHill.com article. Pull quote: “Rather than face those [Rules Committee] votes, Republicans are opting to simply not tee up any votes at all, according to multiple members of the panel — leaving the House with no floor business in the days ahead of August recess beyond noncontroversial suspension bills, fast-track measures that need two-thirds support to pass.”

What a Wandering Mind Learns. ScientificAmerican.com article. Pull quote: “Simor, who studies sleep, was interested in whether participants’ mind wandering displayed any neural hallmarks of dozing off. Using electroencephalogram recordings, the team showed that in those test periods, participants’ brains produced more of the slow waves that are dominant during sleep. Perhaps, the researchers say, mind wandering is like a form of light sleep that provides some of that state’s learning benefits. To better understand whether mind wandering might compensate for lost sleep, Simor and his colleagues next plan to study narcolepsy and sleep deprivation.”

Review – Committee Hearings – Week of 7-20-25

With the August recess fast approaching (maybe, some talk about delaying the start or maybe cancelling completely to allow the Senate to continue approving nominations) there is a fairly heavy hearing schedule. Spending bill markups continue to be scheduled on both sides of the Hill. Other hearings of specific interest here are cybersecurity and pipeline safety hearings in the House and a counter UAS hearing in the Senate.

Spending Bills

• Monday House Committee – Financial Services,

• Tuesday House Committee – Interior, Environment, and Related Services (IER),

• Wednesday House Committee – State,

• Thursday House Committee – Commerce, Justice, Science and Related Services (CJS),

• Thursday Senate Committee – IER and THUD

Cybersecurity

On Tuesday the Subcommittee on Cybersecurity and Infrastructure Protection of the House Homeland Security Committee will hold a hearing on “Fully Operational: Stuxnet 15 Years Later and the Evolution of Cyber Threats to Critical Infrastructure.”

Pipeline Safety

On Tuesday the Subcommittee on Energy of the House Energy and Commerce Committee will hold a hearing on “Strengthening American Energy: A Review of Pipeline Safety Policy”.

cUAS

On Tuesday the Senate Judiciary Committee will hold a hearing on “Securing the Skies: Law Enforcement, Drones, and Public Safety”.

 

For more information on these hearings, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/committee-hearings-week-of-7-20-25   - subscription required.

Review – Public ICS Disclosures – Week of 7-12-25 – Part 2

For Part 2 we have 3 additional vendor disclosures from Rockwell, VMware, and Zyxel. There are 6 updated advisories from Broadcom (2), Moxa, Siemens, VMware, and Zyxel. Finally, we have 7 researcher reports about vulnerabilities in products from Zyxel, and Dassault Systems (6).

Advisories

Rockwell Advisory - Rockwell published an advisory that discusses four vulnerabilities in their Lifecycle Services with VMware product.

VMware Advisory - Broadcom published an advisory that describes four vulnerabilities in multiple VMware products.

Zyxel Advisory - Zyxel published an advisory that describes a path traversal vulnerability in multiple access point (AP) products

Updates

Broadcom Update #1 - Broadcom published an update for their ASCG Vulnerability Disclosures advisory that was originally published on January 7^th, 2025, and most recently updated on June 10^th, 2025. 

Broadcom Update #2 - Broadcom published an update for their AF_UNIX Module advisory that was originally published on June 10^th, 2025.

Moxa Update - Moxa published an update for their EDS-508A Series advisory that was originally published on January 15^th, 2025.

Siemens Update - Siemens published an update for their n SICAM TOOLBOX advisory that was originally published on July 8^th, 2025.

VMware Update - Broadcom published an update for their VMware NSX advisory that was originally published on June 4^th, 2025.

 Zyxel Update - Zyxel published an update for their denial-of-service vulnerabilities of CPE advisory that was originally published on December 17^th, 2020 and most recently updated on January 29^th, 2021.

Researcher Reports

Dassault Reports - The Zero Day Iniative published six reports of individual vulnerabilities in the Dassault Systèmes eDrawings Viewer.

Zyxel Report - Vulncheck published a report that describes a command injection vulnerability in Multiple Zyxel CPE models.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-7-6e6 - subscription required.